Flame on: The greatest cyberweapon ever?

posted at 5:21 pm on May 29, 2012 by Allahpundit

Now that you’re done with the NYT piece on Obama’s Al Qaeda “kill list,” take 10 more minutes and dive into Wired’s fascinating read on the greatest spy machine ever invented. Unlike Stuxnet, this one doesn’t mess with industrial equipment; all it does is record virtually everything you’re doing on your computer — or within earshot of your computer — while leaving almost no trace of its existence.

The apparent target is just who you’d think it’d be.

The [Flame] malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware…

Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.

The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.

Current estimates are that 1,000 computers worldwide are infected, a plurality of which are in Iran. Interestingly, though, Flame doesn’t replicate automatically. Stuxnet did — so much so that Richard Clarke theorized there must have been a flaw in its programming. Not only does replication make it more likely that the virus will be detected but these are, after all, the cyber equivalents of atomic bombs. The more freely available the virus is, the more likely it is that hackers and/or U.S. enemies will reverse-engineer the program to wreak havoc. (Then again, hackers can already access virtually any unsecured U.S. network, in which case who needs Flame?) The braintrust behind Flame evidently took care to make sure its exposure was limited, which helps explain why it wasn’t discovered as quickly as Stuxnet.

Apparently there are almost no similarities between Stuxnet and Flame except, per Wired, one possible likeness in their export function as well as the ability to spread via USB sticks by exploiting code vulnerabilities. Does that mean the two programs came from different sources or are the differences simply a function of what they’re designed to do? Flame is vastly bigger and more complex according to cybersecurity experts (one says it’s “20 times” more complicated than Stuxnet), but then it’s designed to perform many more tasks than merely controlling the spin of uranium centrifuges. Another clue: The two viruses seem to have emerged at roughly the same time. Stuxnet has been traced to as early as June 2009 but started circulating more widely in early 2010. Flame apparently started circulating at around the same time although it may have been around as early as 2007, says Wired, noting that Stuxnet is believed to have been written in this same period. Indeed, we already know from the NYT that Stuxnet began development during Bush’s administration and was, reportedly, accelerated by Obama. Looks like Flame might have been on the tasklist too.

We also know from the Times that Stuxnet was likely a joint U.S./Israeli project. ABC sees another common thread there:

A top Israeli official hinted today that his country could be behind the most sophisticated cyber espionage program ever developed, known as Flame, which infiltrated and has spied on computer systems throughout the Middle East, including those in Iran, for the past two years.

“Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them,” Israel’s vice prime minister Moshe Yaalon told Israel’s Army Radio today, referring to the cyber attack. “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.”…

So far, researchers in the U.S. and abroad have said Flame appears to only be used for spying purposes, rather than being used to cause physical damage to systems, like Stuxnet. Still, Kaspersky Labs said in a blog post, “such highly flexible malware can be used to deploy specific attack modules” that could target a country’s critical infrastructure and there could also be variations of the code that have yet to be discovered.

In other words, Flame might have some sort of built-in Stuxnet-like capacity to take over industrial machinery if need be. (One of the UN’s own cybersecurity experts said, “I think it is a much more serious threat than Stuxnet.”) No one knows yet because they’re only just now starting to unpack it; it’s like an alien autopsy where you’re suddenly looking at an advanced physiology you’ve never seen and have to figure out what each of the organs does. Two obvious possibilities, then, on what Flame might be designed to do. One: It could detect Iranian chatter about how far along their nuclear program is, which in turn would tell Israel when time has run out and an attack needs to be launched. Right now they’re impatient with the halting negotiations between the west and Iran but willing to tolerate them, maybe because Flame is telling them that Iran hasn’t reached nuclear “breakout” capabilities just yet. Two: It could be a way to disable Iran’s air defenses in advance of an attack or, more ambitiously, Iran’s enrichment facility at Fordo, which is buried deep inside a mountain and virtually impervious to a conventional attack. If bombs can’t take that out, they’ll need another way in. Then again, if Israel has already penetrated Fordo well enough to get Flame onto the computers there, they probably already have another way in. Anything else I’m missing here, techies? All theories welcome. Exit quotation: “If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about.”

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Another possibility is the possibility of subtle sabotage. Stuxnet was designed to cause problems late in the process, at an unexpected location, and to be difficult to find.

You can stuff incredible amounts of functionality into 20MB of code. If I were designing the ultimate stop-them-from-using-nuclear-weapons virus, I would design something which would subtly subvert their efforts at every step. Stuxnet was designed to sabotage the centrifuges. I wouldn’t be surprised if this did the same. I’d have it mess with the machine tools so that they’d make too-small-to-notice errors in the dimensions of parts. I’d infect their chemical analyzers to show too much, then too little, purity in the uranium. I’d mess with the process control systems to make too much or too little coolant (or other liquids) flow. I’d have it report exactly what software is being used to program the detonation devices, and then infect that software so as to make the detonations misfire by a few milliseconds. I’d mess with missile guidance systems to make them report one set of flight telemetry while using a different set to make actual flight calculations.

That’s just the technical side. There’s also the social engineering side–send a not-so-anonymous email from a key technician or scientist maligning Allah, or offering to cooperate with western intelligence agencies. Change numbers in emails so that it reads “we have 200kg of uranium” instead of “20kg”. Create false alarms in the process control system. Spoof someone pulling a fire alarm. Set off an air-raid siren. Take over a radio station and announce a mandatory week-long holiday. Install a keylogger that occasionally inserts random letters while someone types, so they have to spend more time fixing typos.

In short, do everything possible to make the process of building a nuke so expensive, so time-consuming, and so painful that it becomes not worth the effort.

There has been a lot of this going on over there. One little gremlin took over a gig of file space and send everything home including conversations in the room. I think Israel confessed to this. Not sure.

That Kaspersky.Lab anti-mal is super (got 100% in tests) and comes with a KGB Guarantee.

Latest rumor is that the bombing was a bluff all the time since O didn’t like it. President declined to bomb during his tenure.

On a more down to earth note, AP is the consummate chicken little. These pea brained idiots ain’t never gonna reverse engineer any virus to be a threat to us. They don’t write their own software, they buy it. They don’t build their own hardware, they buy it. They also likely need extensive outside help to perform machine integration. Stuxnet and Flame work so well because they are being used against early 19th century technologists with 6th century brains.

Hmm, why Stuxnet AND Flame? If Flame could do what is listed here I can’t see the need for Stuxnet.

SteveMG on May 29, 2012 at 5:55 PM

Stuxnet preceded Flame. Stuxnet was also specifically designed to screw with known industrial controls and the logic program running inside those controls. I don’t know that Flame has such capability especially since Stuxnet was most likely built with a considerable amount of insider information. Whoever built Stuxnet had access to the exact logic programs the Siemens controllers were running.

You can stuff incredible amounts of functionality into 20MB of code. If I were designing the ultimate stop-them-from-using-nuclear-weapons virus, I would design something which would subtly subvert their efforts at every step …

Mohonri on May 29, 2012 at 5:39 PM

Yeah. This app just isn’t … it just isn’t. It sounds like some weird CIA … IrfanView or something. It’s versatile, but it sounds just like a single-minded “spy” program with functionality I could literally code on this machine and compile on gcc, down to the Bluetooth. It’s even structured as a simple program, not a virus (apparently).

But Mohonri, your counter-intelligence measures, on the other hand, are pretty good. If you aren’t NSA, go take a test. And I recommend you call the suite “Gremlin.”

Embedded C programs that were available with similar Siemens equipment worldwide?

oldroy on May 29, 2012 at 6:07 PM

No. Logic controllers (PLCs, PACs) are not like typical PCs. They don’t come with optional software packages. They are blank slates and the logic program is written by the customer, or a 3rd party engineer.

Another possibility is the possibility of subtle sabotage. Stuxnet was designed to cause problems late in the process, at an unexpected location, and to be difficult to find.

You can stuff incredible amounts of functionality into 20MB of code. If I were designing the ultimate stop-them-from-using-nuclear-weapons virus, I would design something which would subtly subvert their efforts at every step. Stuxnet was designed to sabotage the centrifuges. I wouldn’t be surprised if this did the same. I’d have it mess with the machine tools so that they’d make too-small-to-notice errors in the dimensions of parts. I’d infect their chemical analyzers to show too much, then too little, purity in the uranium. I’d mess with the process control systems to make too much or too little coolant (or other liquids) flow. I’d have it report exactly what software is being used to program the detonation devices, and then infect that software so as to make the detonations misfire by a few milliseconds. I’d mess with missile guidance systems to make them report one set of flight telemetry while using a different set to make actual flight calculations.

That’s just the technical side. There’s also the social engineering side–send a not-so-anonymous email from a key technician or scientist maligning Allah, or offering to cooperate with western intelligence agencies. Change numbers in emails so that it reads “we have 200kg of uranium” instead of “20kg”. Create false alarms in the process control system. Spoof someone pulling a fire alarm. Set off an air-raid siren. Take over a radio station and announce a mandatory week-long holiday. Install a keylogger that occasionally inserts random letters while someone types, so they have to spend more time fixing typos.

In short, do everything possible to make the process of building a nuke so expensive, so time-consuming, and so painful that it becomes not worth the effort.

Mohonri on May 29, 2012 at 5:39 PM

The one problem with this is that other vulnerabilities and technical specifications need to be known and exploited. Not saying it can’t be done, but a lot of other pieces need to be managed.

I’d say the most important part of this new exploit does leave open the possibilities you raise, though. The fact that new modules can be downloaded is brilliant. It gives the people who are managing the weapon the option to add new features on an ad hoc basis. Frankly, I don’t know why I haven’t heard of this before. I know how to do this kind of programming, and it’s really not hard. I’m really surprised that it’s not in the wild.

Are you kidding? If Team Barry had something to crow about, there’d already be a package deal with Hollywood. Expect a film out sometime in mid-October.

Barry will be featured prominently, writing computer code while dressed in a white lab coat.

GarandFan on May 29, 2012 at 6:16 PM

No white coat. It would be Obama in shorts, sandals, and a two day beard sitting in the corner of the local starbucks, coding away.

oldroy on May 29, 2012 at 6:22 PM

Coats will be behind him at the press conference. In the movie, he’ll tap a pen against his teeth, look excited, and call the keystone-coats with “I’ve got it!” Then a montage where he’s explaining something from a laptop, a napkin, and a blackboard.

I doubt centrifuges are being run with PLC’s. Can’t say for sure, but I do doubt it.

Charlemagne on May 29, 2012 at 6:24 PM

Stuxnet is old news, and according to that old news they were. And why wouldn’t you control a centrifuge through a PLC? We aren’t talking about single stand alone centrifuges. We are talking about several in a single facility. It is much easier to use a single PLC networked to an HMI for complete control of all of the centrifuges in that circumstance.

Through the HMI operators would turn them on and off and control their speed. The PLC would be the on, off switch and the speed controller. Stuxnet screwed with data handling though through the Siemens controller and falsified the data files the monitoring devices were using to monitor the centrifuges.

Coats will be behind him at the press conference. In the movie, he’ll tap a pen against his teeth, look excited, and call the keystone-coats with “I’ve got it!” Then a montage where he’s explaining something from a laptop, a napkin, and a blackboard.

Axe on May 29, 2012 at 6:33 PM

Would there be a scene with him learning to program? Maybe in Indonesia? Outpacing the rest of the class, teaching the teacher? One of his many real-world skills that we didn’t know about?

Iran’s Supreme Leader Ayatollah Ali Khamenei has called the Internet a threat to national security and a dangerous double-edged knife that has benefits as well as risks.

Since 2009, Mr. Khamenei has instructed security forces to train and form units to battle cyberattacks to curb the influence of social-media websites.

In March, Mr. Khamenei issued a decree ordering the creation of the Supreme Council of Cyberspace, a committee consisting of high-level military and intelligence officials tasked with supervising cyber activity and warfare.

From WSJ. That bit about “Supreme Council of Cyberspace” is making me laugh. It’s like they are finally returning to the mothership.

… was out looking to see if centrifuges are controlled by PLCs. :) Could be controlled by 6502s and duct-tape for all I know.

Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system.[34] When certain criteria are met, it periodically modifies the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of the connected motors by changing their rotational speed.[40] It also installs a rootkit—the first such documented case on this platform—that hides the malware on the system and masks the changes in rotational speed from monitoring systems.

They had insider info on the Iranian setup coming out their ears. The spy network inside Iran might make for a good movie someday.

Ralph Langner: First of all, the programmable logic controller [PLC] is the interface between a program and the actual machines that do something useful in the real world. This is not a computer in the sense that we see a Windows operating system or hard disk, et cetera. But you can think of it as a very small computer system that operates in real time, and in a single-tasking mode. This is where the actual attack routine from Stuxnet takes place. And by the way, Steven, to follow up on your introduction, the very interesting part is it’s an actual surgical strike that you’re seeing here. The Stuxnet program that is downloaded from a Windows PC, where the programmable logic controller first checks the type of PLC. But that’s not all. It then continues to check if a specific program is loaded onto that controller, which is really something freaky, and that explains why from around the 100 000 infections that we see, even those with the automation equipment installed, that even there we don’t have reported damage. The only sites with reported damage are as you mentioned Bushehr and Natanz, and this can be explained easily by this capability of Stuxnet to check if a specific program is running on the PLC. But it even gets better. Once the rogue ladder logic is on the PLC, it checks for specific program conditions. So it doesn’t start right away to do the evil task it’s carrying out. It’s just sitting put and looking for a specific process condition, so for example, a specific drive to accelerate, and when that condition is reached, then the original ladder logic is no longer carried out, and Stuxnet takes over control.

I hate being this dumb in public, but I was tripping over the structure of the network, and Stux wasn’t helping with the fact that it lived half its life in a Windows PC and the other half on a PLC, presumably not running Windows. :)

So, this is a network of workstations, presumably PCs (and friends), connected to centrifuges (and friends) where programmable logic controllers are embedded, and Stux wormed over the network in the usual PC->PC way, but just looked around for the particular links it wanted, and when it found them, … did its thing on the PLC itself?

Sounds about right. All PLCs today are interfaced with using Windows based software. The programming software is used to write the program on your PC and you network your PC to the PLC to upload the program. That is how Stuxnet attached itself to the PLCs. PCs though are likely not connected to the centrifuges directly. PCs may have been used to monitor the centrifuges, but it was through HMIs or PC based monitoring software networked to the PLCs which just read data files on the PLC.

Ok. I’ve written for hardware, and I can program a microcontroller; but I’ve never programmed for an industrial process before. I can see it now. Thanks for babysitting for a bit. :) I think I’m up to speed.

They had insider info on the Iranian setup coming out their ears. The spy network inside Iran might make for a good movie someday.

It knew exactly what it was looking for, and it was designed such that it could circulate indefinitely before it found it. That explains that whole “lay low” activity profile it had. It never had to be introduced at any particular point.

Geez. Maybe I should have paid more attention when the story was the story, instead of just making myself a quick “virus messed up centrifuges” bumper sticker and skipping by. Stux kinda rocked.

LUA is an excellent choice for this sort of thing. Ordinarily, TCL would be an even better choice, but for a stealth app like this you would really need the smaller footprint, and a GUI would be just bloat.

LUA is an excellent choice for this sort of thing. Ordinarily, TCL would be an even better choice, but for a stealth app like this you would really need the smaller footprint, and a GUI would be just bloat.

tom on May 29, 2012 at 8:36 PM

FWIW guys, it’s not “LUA”, it’s “Lua”, as in the Portuguese word for “the Moon”.

Methinks somebody is having a little fun with the gullible journalistic types at Wired. Read that blockquote description of the “greatest spy weapon ever” a couple of times, and tell me it doesn’t start to sound faintly ridiculous.

Good stuff.
But you know, all this is is a delay. Flame’s discovery was only a matter of time, just as the other yet-undiscovered viruses and activities are.

What really will make this program stop is if the Iranians decide to. Either that, or a bombing campaign every 2-3 years to blow up Iranian nuke plants. Actually, that too will not stop the program, since the Iranians will adapt.

Purpose leak. Similar to the Special forces parachuting into North Korea story. The stuff that goes on involving this crap. We will NEVER know. Unless it’s trying to get the 2008’s Nobel peace prize winner another trophy. Expect Putin to put the screws to prez milquetoast.

Of course never expect O to denounce Pakistan for protecting Bin Ladin. Since O visited there as a younger guy. I’m not a birther, but how did O travel to Pakistan when he did. With restrictions on Americans traveling there?

Sounds about right. All PLCs today are interfaced with using Windows based software. The programming software is used to write the program on your PC and you network your PC to the PLC to upload the program. That is how Stuxnet attached itself to the PLCs. PCs though are likely not connected to the centrifuges directly. PCs may have been used to monitor the centrifuges, but it was through HMIs or PC based monitoring software networked to the PLCs which just read data files on the PLC.

My last job was working with process controls, and I did a presentation on Stuxnet. Stuxnet worked its way through the networks to the Windows PCs which were running the code development software (I forget the exact name of the software). From there, it infected the firmware which was then loaded on the PLCs. Once on the PLCs, it did its business messing with the speed on the VFDs, but it went further than that. It acted as a rootkit on a PLC, which at the time was rather novel. If a user attempted to download a clean, uninfected firmware to the PLC, the infected firmware on the PLC would infect the new firmware as it was downloaded. So you could try and update the PLC with clean firmware all day long without success. This also has the side effect of making it look like the PLC isn’t the problem–typically when debugging, if you update the firmware and the behavior doesn’t change, the problem is most likely elsewhere.